DealLawyers.com Blog

A recent FTI Consulting report says that cyber-attacks occur frequently following the closing of an M&A transaction, and that most companies aren’t adequately prepared to prevent those attacks. Here are some of the report’s rather alarming takeaways:

Impact on Deal Value and Post-Transaction Targets: More than two-thirds of those who experienced a cyber incident during or after a transaction claim it had a negative impact on the transaction in some capacity. Nearly half claimed the deal value was reduced as a result of the cyber incident, and another 20% stated that the transaction was paused or delayed. A majority (58%) believe the incident impaired the company’s ability to reach financial targets after the transaction.

Minimized Role for CISOs in Decision Making: A plurality of CISOs do not have a seat at the table during transaction due diligence, with one in three indicating they do not believe they have the ability to kill a transaction if the risk to the organization is too high during or after a transaction.

Disconnect between Growth Goals & Cybersecurity Risk: Pressure to close deals quickly comes at the expense of carefully weighing cybersecurity defenses (or lack thereof) during the due diligence process, exacerbating the somewhat inherent tension between growth and risk mitigation.

Cyber Integration Post Transaction is a Significant Challenge: Most organizations struggle to align and integrate their cybersecurity protocols and procedures post-deal, with 84% of survey respondents citing challenges in harmonizing IT systems and policies.

Companies are Targeted and Potentially Exposed at a Critical Moment: One in four respondents admit that their organization experienced a cyber incident within 24 months after closing a transaction, revealing lasting, real-world consequences for those who do not coordinate their cybersecurity and deal teams.

FTI says that one striking observation is the extent to which companies drop their guard post-closing. The report notes that during a transaction, 50% of executives say they take a fully proactive approach to cybersecurity risks. Post-closing, however, only 23% of executives saying they manage cybersecurity risks proactively.

– John Jenkins